Wikipedia

Ring learning with errors signature: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Declining submission: essay - Submission reads like an essay (AFCH 0.9)
Kylras (talk | contribs)
223 edits
Link suggestions feature: 3 links added.
 
(78 intermediate revisions by 37 users not shown)
Line 1:
[[Digital signature]]s are a means to protect [[Digital data|digital information]] from intentional modification and to authenticate the source of digital information. [[Public key cryptography]] provides a rich set of different cryptographic algorithms the create digital signatures. However, the primary public key signatures currently in use ([[RSA (cryptosystem)|RSA]] and [[Elliptic Curve Digital Signature Algorithm|Elliptic Curve Signatures)]] will become completely insecure if scientists are ever able to build a moderately sized [[quantum computer]].<ref name=":2">{{Cite web|title = ETSI - Quantum-Safe Cryptography|url = http://www.etsi.org/technologies-clusters/technologies/quantum-safe-cryptography|website = ETSI|access-date = 2015-07-05|first = Sabine|last = Dahmen-Lhuissier}}</ref> [[Post-quantum cryptography|Post quantum cryptography]] is a class of cryptographic algorithms designed to be resistant to attack by a quantum cryptography. Several post quantum digital signature algorithms based on hard problems in lattices are being created replace the commonly used [[RSA (cryptosystem)|RSA]] and elliptic curve signatures. A subset of these lattice based scheme are based on a problem known as [[Ring learning with errors]]. Ring learning with errors based digital signatures are among the post quantum signatures with the smallest public key and signature sizes
{{AFC submission|d|essay|u=Carvalho1988|ns=118|decliner=Anarchyte|declinets=20150623040347|ts=20150525223444}} <!-- Do not remove this line! -->
 
== Background ==
{{AFC comment|1=Amazing beginning but just not there yet. '''--<span style="text-shadow:gray 0.2em 0.3em 0.2em">[[User:Anarchyte|<span style="color:red">Anar</span>]][[User talk:Anarchyte|<span style="color:green">chyte</span>]]</span>''' 04:03, 23 June 2015 (UTC)}}
Developments in [[quantum computing]] over the past decade and the optimistic prospects for real quantum computers within 20 years have begun to threaten the basic cryptography that secures the internet.<ref>{{Cite web|title = Quantum computing breakthrough claim from IBM|url = http://www.cio.co.uk/news/r-and-d/quantum-computing-breakthrough-claim-from-ibm-3609914/|access-date = 2015-06-01|first = Agam|last = Shah|archive-date = 2015-09-23|archive-url = https://web.archive.org/web/20150923203728/http://www.cio.co.uk/news/r-and-d/quantum-computing-breakthrough-claim-from-ibm-3609914/|url-status = dead}}</ref><ref>{{Cite news|title = Researchers Report Milestone in Developing Quantum Computer|url = https://www.nytimes.com/2015/03/05/science/quantum-computing-nature-google-uc-santa-barbara.html|newspaper = The New York Times|date = 2015-03-04|access-date = 2015-07-05|issn = 0362-4331|first = John|last = Markoff}}</ref> A relatively small [[quantum computer]] capable of processing only ten thousand of bits of information would easily break all of the widely used [[Public-key cryptography|public key]] cryptography algorithms used to protect privacy and digitally sign information on the internet.<ref name=":2" /><ref>{{Cite journal|title = Efficient Networks for Quantum Factoring|journal = Physical Review A|date = 1996|issn = 1050-2947|pages = 1034–1063|volume = 54|issue = 2|doi = 10.1103/PhysRevA.54.1034|pmid = 9913575|first1 = David|last1 = Beckman|first2 = Amalavoyal N.|last2 = Chari|first3 = Srikrishna|last3 = Devabhaktuni|first4 = John|last4 = Preskill|arxiv = quant-ph/9602016|bibcode = 1996PhRvA..54.1034B|s2cid = 2231795}}</ref>
 
TheOne of the most widely used public key algorithm used to create [[digital signatures]] is known as [[RSA (cryptosystem)|RSA]].   Its security is based on the classical difficulty of factoring the product of two large and unknown primes into the constituent primes.  This problem, theThe [[integer factorization problem]], is believed to be intractable on any conventional computer if the primes are chosen at random and are sufficiently large.  However, to breakfactor anthe RSA keyproduct of lengthtwo n-bit bitsprimes, a quantum computer with roughly 3n6n bits of logical [[qubit]] memory and capable of executing a program known as [[Shor's algorithm|Shor’s algorithm]] will beeasily able to [[integer factorization|factor]]accomplish the keytask.<ref>{{Cite journal|title = Oversimplifying quantum factoring|url = http://www.nature.com/nature/journal/v499/n7457/full/nature12290.html|journal = Nature|date = July 11, 2013|issn = 0028-0836|pages = 163-165163–165|volume = 499|issue = 7457|doi = 10.1038/nature12290|language = en|firstfirst1 = John A.|lastlast1 = Smolin|first2 = Graeme|last2 = Smith|first3 = Alexander|last3 = Vargo|pmid=23846653|arxiv = 1301.7007|bibcode = 2013Natur.499..163S|s2cid = 4422110}}</ref>  Because Shor's algorithm can also quickly break digital signatures based on what is known as the key[[discrete logarithm]] problem and the sizesmore foresoteric [[ellipticElliptic curve cryptography]]|elliptic arecurve smallerdiscrete thanlogarithm]] forproblem. RSAIn effect, a similarlyrelatively sizedsmall quantum computer also running Shor’sShor's algorithm willcould also easilyquickly break newerall of the digital signatures schemesused basedto onensure the arithmeticprivacy and integrity of ellipticinformation on the internet curvestoday.
----
 
Even though we do not know when a quantum computer to break RSA and other digital signature algorithms will exist, there ishas been active research onover the past decade to create cryptographic algorithms which remain secure even when an attacker has the resources of a quantum computer at their disposal.<ref name=":2" /><ref name=":4">{{Cite web|title = Introduction|url = http://pqcrypto.org/|website = pqcrypto.org|access-date = 2015-07-05}}</ref>  This new area of cryptography is called [[Post-quantum cryptography|Post Quantum]] or [[Quantum Safe Cryptography|Quantum Safe]] cryptography.<ref name=":2" /><ref name=":4" />  This article is about one class of these algorithms:   digital signatures based on the Ring Learning with Errors problem. The use of the general [[Learning with errors|Learning with Errors]] problem.  The use of this problem in cryptography was introduced by Oded Regev in 2005 and has been the source of a rich literature of analysis andseveral cryptographic designs.<ref>{{Cite web|title = http://www.cims.nyu.edu/~regev/papers/lwesurvey.pdfThe Learning with Errors Problem|url = http://www.cims.nyu.edu/~regev/papers/lwesurvey.pdf|website = www.cims.nyu.edu|accessdateaccess-date = 2015-05-24}}</ref>
[[Digital signature|Digital Signatures]] are a means to protect [[Digital data|digital information]] from intentional modification and to authenticate the source of digital information. [[Public-key cryptography|Public key]] signature algorithms such as the Ring [[learning with errors]] signature (RLWE-SIG) is a member of a new class of cryptographic algorithms ([[Post-quantum cryptography]]) designed to resist cryptanalytic attacks run on a [[Quantum computing|quantum computer]]. All of the public key digital signature algorithms in use are easily broken by a quantum computer and scientists are making steady progress towards creating large scale quantum computers. Having signatures the withstand attack by a quantum computer is important for the long term safety of the internet and [[E-commerce|electronic commerce]].
 
The creators of the Ring-based Learning with Errors (RLWE) basis for cryptography believe that an important feature of these algorithms based on Ring-Learning with Errors is their provable reduction to known hard problems.<ref>{{Cite book |date = 2010|pages = 1–23|first1 = Vadim|last1 = Lyubashevsky|first2 = Chris|last2 = Peikert|first3 = Oded|last3 = Regev| title=Advances in Cryptology – EUROCRYPT 2010 | chapter=On Ideal Lattices and Learning with Errors over Rings | series=Lecture Notes in Computer Science | volume=6110 |citeseerx = 10.1.1.297.6108|doi=10.1007/978-3-642-13190-5_1| isbn=978-3-642-13189-9 |editor-last=Gilbert|editor-first=Henri }}</ref><ref>{{Cite web|title = What does GCHQ's "cautionary tale" mean for lattice cryptography?|url = http://www.cc.gatech.edu/~cpeikert/soliloquy.html|website = www.cc.gatech.edu|access-date = 2015-07-05|url-status = dead|archive-url = https://web.archive.org/web/20150706150530/http://www.cc.gatech.edu/~cpeikert/soliloquy.html|archive-date = 2015-07-06}}</ref> The signature described below has a provable reduction to the [[Shortest vector problem|Shortest Vector Problem]] in an [[Ideal lattice cryptography|ideal lattice]].<ref name=":0">{{Cite book|title=Cryptographic Hardware and Embedded Systems – CHES 2012|last1=Güneysu|first1=Tim|last2=Lyubashevsky|first2=Vadim|last3=Pöppelmann|first3=Thomas|date=2012|publisher=Springer Berlin Heidelberg|isbn=978-3-642-33026-1|editor-last=Prouff|editor-first=Emmanuel|series=Lecture Notes in Computer Science|volume=7428|pages=530–547|chapter=Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems|doi=10.1007/978-3-642-33027-8_31|editor-last2=Schaumont|editor-first2=Patrick}}</ref> This means that if an attack can be found on the Ring-LWE [[cryptosystem]] then a whole class of presumed hard computational problems will have a solution.<ref>{{Cite journal|title = The shortest vector in a lattice is hard to approximate to within some constant|url = http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.109.7305|journal = In Proc. 39th Symposium on Foundations of Computer Science|date = 1998|pages = 92–98|first = Daniele|last = Micciancio}}</ref>
=== Introduction ===
Developments in [[quantum computing]] over the past decade and the optimistic prospects for real quantum computers within 20 years have begun to threaten the basic cryptography that secures the internet.<ref>{{Cite web|title = Quantum computing breakthrough claim from IBM|url = http://www.cio.co.uk/news/r-and-d/quantum-computing-breakthrough-claim-from-ibm-3609914/|accessdate = 2015-06-01|first = Agam|last = Shah}}</ref>  A relatively small quantum computer capable of processing only ten thousand of bits of information will easily break all of the the widely used [[Public-key cryptography|public key]] cryptography algorithms used to digitally sign information in computer networks.
 
The first RLWE based signature was developed by Lyubashevsky in his paper "Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures"<ref name=":5">{{Cite book|publisher = Springer Berlin Heidelberg|date = 2009-01-01|isbn = 978-3-642-10365-0|pages = 598–616|series = Lecture Notes in Computer Science|first = Vadim|last = Lyubashevsky|editor-first = Mitsuru|editor-last = Matsui|doi = 10.1007/978-3-642-10366-7_35|title = Advances in Cryptology – ASIACRYPT 2009|volume = 5912|chapter = Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures}}</ref> and refined in "Lattice Signatures Without Trapdoors" in 2011.<ref name=":1">{{Cite journal|title = Lattice Signatures Without Trapdoors|url = http://eprint.iacr.org/2011/537|date = 2011|first = Vadim|last = Lyubashevsky| journal=Cryptology ePrint Archive }}</ref> A number of refinements and variants have followed. This article highlights the fundamental [[mathematical structure]] of RLWE signatures and follows the original Lyubashevsky work and the work of Guneysu, Lyubashevsky and Popplemann ([https://web.archive.org/web/20140518004537/http://www.di.ens.fr/~lyubash/papers/signaturechess.pdf GLP]).<ref name=":0" /> This presentation is based on a 2017 update to the GLP scheme called GLYPH.<ref name=":3">{{Cite web|url=https://eprint.iacr.org/2017/766.pdf|title=GLYPH: A New Instantiation of the GLP Digital Signature Scheme|last=Chopra|first=Arjun|date=2017|website=International Association of Cryptographic Research eprint Archive|archive-url=https://web.archive.org/web/20170828012937/https://eprint.iacr.org/2017/766.pdf|archive-date=28 August 2017|access-date=26 August 2017|url-status=bot: unknown}}</ref>
The most widely used public key algorithm used to create [[digital signatures]] is known as [[RSA]].  Its security is based on the classical difficulty of factoring the product of two large and unknown primes into the constituent primes.  This problem, the [[integer factorization problem]], is believed to be intractable on any conventional computer if the primes are chosen at random and are sufficiently large.  However, to break an RSA key of length n bits, a quantum computer with roughly 3n bits of logical qubit memory and capable of executing a program known as [[Shor's algorithm|Shor’s algorithm]] will be able to [[integer factorization|factor]] the key.<ref>{{Cite journal|title = Oversimplifying quantum factoring|url = http://www.nature.com/nature/journal/v499/n7457/full/nature12290.html|journal = Nature|date = July 11, 2013|issn = 0028-0836|pages = 163-165|volume = 499|issue = 7457|doi = 10.1038/nature12290|language = en|first = John A.|last = Smolin|first2 = Graeme|last2 = Smith|first3 = Alexander|last3 = Vargo}}</ref>  Because the key sizes for [[elliptic curve cryptography]] are smaller than for RSA, a similarly sized quantum computer also running Shor’s algorithm will also easily break newer signatures schemes based on the arithmetic of elliptic curves.
 
TheA RingRLWE-LWE digital signatureSIG works in the quotient [[ring of polynomials]] modulo a degree n polynomial Φ(x) with coefficients in the ring[[finite field]] FZ<sub>q</sub> for an integerodd prime q ( i.e. the ring FZ<sub>q</sub>[x]/Φ(x) ).<ref name=":1" /> Multiplication and addition of polynomials will work in the usual fashion with results of a multiplication reduced mod Φ(x). For this presentation a typical polynomial is expressed as:
Even though we do not know when a quantum computer to break RSA will exist, there is active research on cryptographic algorithms which remain secure even when an attacker has the resources of a quantum computer at their disposal.  This new area of cryptography is called [[Post-quantum cryptography|Post Quantum]] or [[Quantum Safe Cryptography|Quantum Safe]] cryptography.  This article is about one class of these algorithms:  digital signatures based on the Ring [[Learning with errors|Learning with Errors]] problem.  The use of this problem in cryptography was introduced by Oded Regev in 2005 and has been the source of a rich literature of analysis and cryptographic designs.<ref>{{Cite web|title = http://www.cims.nyu.edu/~regev/papers/lwesurvey.pdf|url = http://www.cims.nyu.edu/~regev/papers/lwesurvey.pdf|website = www.cims.nyu.edu|accessdate = 2015-05-24}}</ref>
 
<math>a(x) = a_0 + a_1x + a_{2}x^2 + \ldots + a_{n-3}x^{n-3} + a_{n-2}x^{n-2} + a_{n-1}x^{n-1}</math>
An important feature of algorithms based on Ring-Learning with Errors is their provable reduction to known hard problems. The signature described below has a provable reduction to the [[Shortest vector problem|Shortest Vector Problem]] in an [[integer lattice]]. This means that if an attack can be found on the Ring-LWE cryptosystem then a whole class of presumed hard computational problems will have a solution.<ref>{{Cite journal|title = The shortest vector in a lattice is hard to approximate to within some constant|url = http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.109.7305|journal = in Proc. 39th Symposium on Foundations of Computer Science|date = 1998|pages = 92–98|first = Daniele|last = Micciancio}}</ref> Other lattice based cryptographic algorithms do not have such a strong security reduction and are based to the inability of anyone to find an effective attack.
 
The field Z<sub>q</sub> has its representative elements in the set { -(q-1)/2, ...-1, 0, 1, ... (q-1)/2 }. When n is a power of 2, the polynomial Φ(x) will be the [[cyclotomic polynomial]] x<sup>n</sup> + 1. Other choices of n are possible but the corresponding cyclotomic polynomials are more complicated or their security not as well studied.
This article describes one of the basic digital signature algorithms based on the Learning with Errors problem over polynomial rings. The algorithm invented by Lyubashevsky and described in his 2012 paper "Lattice Signatures Without Trapdoors. <ref>{{Cite book|url = http://link.springer.com/chapter/10.1007/978-3-642-29011-4_43|publisher = Springer Berlin Heidelberg|date = 2012|isbn = 978-3-642-29010-7|pages = 738–755|series = Lecture Notes in Computer Science|language = en|first = Vadim|last = Lyubashevsky|editor-first = David|editor-last = Pointcheval|editor-first2 = Thomas|editor-last2 = Johansson|doi = 10.1007/978-3-642-29011-4_43|chapter = Lattice Signatures without Trapdoors|title = Advances in Cryptology – EUROCRYPT 2012|volume = 7237}}</ref> The presentation that follows closely follows a specific description of that algorithm by Guneysu, Lyubashevsky and Poppleman (GLP).<ref name=":0" />  A later section of this article references other approaches to digital signatures based on creating trapdoor signatures using lattices based on the unproven but presumed hard problem of finding Shortest Integer Solution in a type of lattice used by the [[NTRUSign|NTRU cryptosystem]].
 
=== BackgroundGenerating "small" polynomials. ===
TheA RLWE signature algorithm uses polynomials which are considered "small" with respect to a measure called the "[[infinity norm.]]". The [[infinity norm]] for a polynomial is simply the largest absolute value of the largest coefficientcoefficients of the polynomial when thethose representation of the ring elementscoefficients are takenviewed as theintegers setin {Z -(rather than Z<sub>q-1)</2,sub> ...-1,<ref name=":0," 1, ... (q-1)/2 }.> The signature algorithm will generatecreate random polynomials which are small with respect to thea particular infinity norm bound. This is easily done by randomly generating all of the [[Coefficient|coefficients of the polynomial]] (a<sub>n-10</sub>, ..., a<sub>0n-1</sub>) in a manner which areis guaranteed or very likely to be smallless than or equal to this bound. ThereIn the literature on Ring Learning with Errors, there are two common ways to do this:<ref name=":1" />
The Ring-LWE digital signature works in the ring of polynomials modulo a degree n polynomial Φ(x) with coefficients in the ring F<sub>q</sub> for an integer q ( i.e. the ring F<sub>q</sub>[x]/Φ(x) ). Multiplication and addition of polynomials will work in the usual fashion with results of a multiplication reduced mod Φ(x). For this presentation a typical polynomial is expressed as:
#* Using [[Uniform distribution (discrete)|Uniform Sampling]] - The coefficients of the small polynomial are uniformly sampled from a set of small coefficients. Let b be an integer that is much less than q. If we randomly choose polynomial coefficients from the set: { -βb, -βb+1, -βb+2. ... -2, -1, 0, 1, 2, ... , βb-2, βb-1, βb} the polynomialinfinity willnorm beof smallthe withpolynomial respectwill tobe the bound (βb).
#* Using Discrete Gaussian Sampling - For an odd value forinteger q, the coefficients are randomly chosen by sampling from the set { -(q-1)/2 to (q-1)/2 } according to a discrete Gaussian distribution with mean 0 and distribution parameter σ. The references describeprovide inmore fulldetails detail howon this can be accomplished. A paper by Peikert, "An Efficient and Parallel Gaussian Sampler for Lattices provides a method for this sampling.<ref>{{Cite web|title = http://www.cc.gatech.edu/~cpeikert/pubs/pargauss.pdf|url = http://www.cc.gatech.edu/~cpeikert/pubs/pargauss.pdf|website = www.cc.gatech.edu|accessdate = 2015-05-30}}</ref>
In the RLWE signature GLYPH used as an example below, coefficients for the "small" polynomials will use the [[Uniform distribution (discrete)|uniform sampling]] method and the value b will be much smaller than the value q.<ref name=":0" />
 
=== Hashing to a "small" polynomial ===
<math>a(x) = a_0 + a_1x + a_{2}x^2 + \ldots + a_{n-3}x^{n-3} + a_{n-2}x^{n-2} + a_{n-1}x^{n-1}</math>
Most RLWE signature algorithms also require the ability to [[Cryptographic hash function|cryptographically hash]] arbitrary bit strings into small polynomials according to some distribution. The example below uses a hash function, POLYHASH(ω), which accepts a bit string, ω, as input and outputs a polynomial with n coefficients such that exactly k of these coefficients have absolute value greater than zero and less than an integer bound b (see above).
 
=== Rejection sampling ===
The signature algorithm uses polynomials which are considered "small" with respect to a measure called the "infinity norm." The infinity norm for a polynomial is simply the value of the largest coefficient of the polynomial when the representation of the ring elements are taken as the set { -(q-1)/2, ...-1, 0, 1, ... (q-1)/2 }. The algorithm will generate random polynomials which are small with respect to the infinity norm. This is done by randomly generating the coefficients of the polynomial (a<sub>n-1</sub>, ..., a<sub>0</sub>) which are guaranteed or very likely to be small. There are two common ways to do this:
AnA importantkey feature of theRLWE Ring-LWE Signaturesignature algorithmalgorithms is the use of a technique known as [[rejection sampling]].<ref name=":1" /><ref name=":5" /> In this technique, if the [[infinity norm]] of the computeda signature polynomialspolynomial exceeds a fixed bound, '''β,''' the signaturethat valuespolynomial will be discarded and the signing process will startbegin again. This process will be repeated until the infinity norm of the signature polynomialspolynomial is less than or equal to the bound. Rejection sampling ensures that the output signature is not exploitably correlated with the signer's secret key values.
# Using Uniform Sampling - The coefficients of the small polynomial are uniformly sampled from a set of small coefficients. Let b be an integer that is much less than q. If we randomly choose coefficients from the set: { -β, -β+1, -β+2. ... -2, -1, 0, 1, 2, ... , β-2, β-1, β} the polynomial will be small with respect to the bound (β).
# Using Discrete Gaussian Sampling - For an odd value for q, the coefficients are randomly chosen by sampling from the set { -(q-1)/2 to (q-1)/2 } according to a discrete Gaussian distribution with mean 0 and distribution parameter σ. The references describe in full detail how this can be accomplished. A paper by Peikert, "An Efficient and Parallel Gaussian Sampler for Lattices provides a method for this sampling.<ref>{{Cite web|title = http://www.cc.gatech.edu/~cpeikert/pubs/pargauss.pdf|url = http://www.cc.gatech.edu/~cpeikert/pubs/pargauss.pdf|website = www.cc.gatech.edu|accessdate = 2015-05-30}}</ref>
The signature described below will randomly sample small polynomials according to two distribution specified as '''D''' and '''D''''.
 
In the example which follows, the bound, '''β,''' will be (b - k), where b is the range of the uniform sampling described above and k will be the number of non-zero coefficients allowed in an "accepted" polynomial<ref name=":0" />
This signature algorithm also requires the ability to cryptographically hash bit strings into small small polynomials according to some distribution. For this presentation, there will exist a hash function, HASH(b), which accepts a bit string,b, as input and outputs a small polynomial according to a third probability distribution '''D<nowiki>''</nowiki>'''. GLP provides a very specific instance of such a mapping in their paper.<ref name=":0">{{Cite book|url = http://link.springer.com/chapter/10.1007/978-3-642-33027-8_31|publisher = Springer Berlin Heidelberg|date = 2012|isbn = 978-3-642-33026-1|pages = 530–547|series = Lecture Notes in Computer Science|language = en|first = Tim|last = Güneysu|first2 = Vadim|last2 = Lyubashevsky|first3 = Thomas|last3 = Pöppelmann|editor-first = Emmanuel|editor-last = Prouff|editor-first2 = Patrick|editor-last2 = Schaumont|doi = 10.1007/978-3-642-33027-8_31|chapter = Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems|title = Cryptographic Hardware and Embedded Systems – CHES 2012|volume = 7428}}</ref> Associated with this function is be a bound, '''β''', which will be used in verification of signatures. A signature will be accepted as valid if a polynomial p(x) created during the verification operation has an infinity norm less than or equal to '''β'''.
 
=== Other parameters ===
Finally q will be an odd prime such that q is congruent to 1 mod 4. The maximum degree of the polynomials (n) will be a power of 2, g(x) will be x<sup>n</sup> + 1, and a(x) will be a randomly chosen and fixed polynomial. Note that a(x) will not be "small."
Following GLYPH and as noted above, the maximum degree of the polynomials will be n-1 and therefore have n coefficients.<ref name=":0" /> Typical values for n are 512, and 1024.<ref name=":0" /> The coefficients of these polynomials will be from the field F<sub>q</sub> where q is an odd prime congruent to 1 mod 4. For n=1024, GLYPH sets q = 59393, b=16383 and k the number of non-zero coefficients in the output of Polyhash equal to 16.<ref name=":3" /> The number of non-zero coefficients k produced by the hash function is equal to 32 for both cases.<ref name=":0" /> The security of the signature scheme is closely tied to the relative sizes of n, q, b, and k. Details on setting these parameters can be found in references 5 and 6 below.<ref name=":1" /><ref name=":0" /><ref name=":3" />
 
As noted above, the polynomial Φ(x) which defines the ring of polynomials used will be x<sup>n</sup> + 1. Finally, a(x) will be a randomly chosen and fixed polynomial with coefficients from the set { -(q-1)/2 to (q-1)/2 }. The polynomial a(x) should be chosen in a "[[Nothing up my sleeve number|Nothing Up My Sleeve]]" manner such as [[One-way function|one-way hashing]] the output of a true noise random number generator (TRNG) or using the digital expansion of well known mathematical constans such as pi or e. All signers and verifiers of signatures will know n, q, b, k, Φ(x), a(x) and '''β''' = b-k.
All signers and verifiers of signatures will know n, q, a(x), '''D''', '''D'''', '''D<nowiki>''</nowiki>''' and '''β'''.
 
=== RejectionPublic Samplingkey generation ===
An entity wishing to sign messages generates its public key through the following steps:
An important feature of the Ring-LWE Signature algorithm is the use of a technique known as [[rejection sampling]]. In this technique if the infinity norm of the computed signature polynomials exceeds a fixed bound, '''β,''' the signature values will be discarded and the signing process will start again. This process will be repeated until the infinity norm of the signature polynomials is less than or equal to the bound. Rejection sampling ensures that the output signature is not exploitably correlated with the signer's secret key values.
# Generate two small polynomials s(x) and e(x) with coefficients chosen uniformly from the set {-b,...-1, 0, 1, ..., b}
# Compute t(x) = a(x)·s<sub>0</sub>(x) + s<sub>1</sub>e(x)
# Distribute t(x) as the entity's public key
The polynomials s(x) and e(x) serve as the private key and t(x) is the corresponding public key. The security of this signature scheme is based on the following problem. Given a polynomial t(x) find small polynomials f<sub>1</sub>(x) and f<sub>2</sub>(x) such that: a(x)·f<sub>1</sub>(x) + f<sub>2</sub>(x) = t(x)
 
If this problem is difficult to solve, then the signature scheme will be difficult to forge. [See the Wikipedia article on [[Ring Learning with Errors]] or [[Ideal lattice cryptography|Ideal Lattice Cryptography]] for more details on the theoretical difficulty of this problem]
=== Public Key Generation ===
An entity wishing to sign messages generates its public key through the following steps:
# Generate two small polynomials s<sub>0</sub>(x) and s<sub>1</sub>(x) according to a distribution '''D'''.
# Compute t(x) = a(x)·s<sub>0</sub>(x) + s<sub>1</sub>(x)
# Distribute t(x) as the entity's public key
 
=== Signature Generationgeneration ===
ToFollowing GLYPH,<ref name=":3" /> to sign a message m expressed as a bit string, the signing entity does the following:
# Generate two small polynomials y<sub>01</sub>(x) and y<sub>12</sub>(x) accordingwith tocoefficients a distribution '''D'''' (notfrom the same as that used in key generation) set {-b, ..., 0, ...., b}
# Compute w(x) = a(x)·y<sub>01</sub>(x) + y<sub>12</sub>(x)
# Map w(x) into a bit string b ω
# Compute c(x) = HASHPOLYHASH(bω | m) (This is a polynomial with k non-zero coefficients. The "|" denotes concatenation of strings)
# Compute z<sub>01</sub>(x) = s<sub>0</sub>(x)·c(x) + y<sub>01</sub>(x)
# Compute z<sub>12</sub>(x) = s<sub>1</sub>e(x)·c(x) + y<sub>12</sub>(x)
# Until the infinity normnorms of cz<sub>1</sub>(x) and z<sub>2</sub>(x) ≤ '''β = ('''B then- k) go to step 1. (This is the rejection sampling step noted above)
# The signature is the triple of polynomials c(x), z<sub>01</sub>(x) and z<sub>12</sub>(x)
# Transmit the message along with c(x), z<sub>01</sub>(x) and z<sub>12</sub>(x) to the verifier.
 
=== Signature Verification ===
ToFollowing GLYPH,<ref name=":3" /> to verify a message m expressed as a bit string, the verifying entity must possespossess the signer's public key (t(x)), the signature (c(x), z<sub>01</sub>(x), z<sub>12</sub>(x)), and the message m. The verifier does the following:
# Verify that the infinity norms of z<sub>01</sub>(x) and z<sub>12</sub>(x) are all small with respect to the bound '''β''' , if not reject the signature.
# Compute w'(x) = a(x)·z<sub>01</sub>(x) + z<sub>12</sub>(x) - t(x)c(x)
# Map w'(x) into a bit string bω'
# Compute c'(x) = HASHPOLYHASH(bω' | m)
# If c'(x) ≠ c(x) reject the signature, otherwise accept the signature as valid.
Notice that:
# Accept the signature as valid.
Notice that a(x)·z<sub>0</sub>(x) + z<sub>1</sub>(x) - t(x)c(x)
 
= a(x)·[sz<sub>01</sub>(x) + z<sub>2</sub>(x) - t(x)c(x) = a(x)·[s(x)·c(x) + y<sub>01</sub>(x)] + z<sub>12</sub>(x) - [a(x)·s<sub>0</sub>(x) + s<sub>1</sub>e(x)]c(x)
 
{{=}} a(x)·y<sub>01</sub>(x) + z<sub>12</sub>(x) - s<sub>1</sub>e(x)·c(x)
 
{{=}} a(x)y<sub>01</sub>(x) + s<sub>1</sub>e(x)·c(x) + y<sub>12</sub>(x) - s<sub>1</sub>e(x)·c(x)
 
{{=}} a(x)y<sub>01</sub>(x) + y<sub>12</sub>(x) = w(x) (as defined above)
 
This brief derivation demonstrates that the verification process will have c'(x) = c(x) if the signature was not tampered with.
 
=== OtherFurther Approachesdevelopments ===
The GLYPH signature scheme described in this document closely follows the work of Lyubashevsky, Gunesyu and Popplemen from 2011 and 2012. There are a number of other variations to their work. These include:
There are a number of other cryptographic signatures based on lattices over polynomial rings. Notable among these is the Trapdoor Lattice approach by Ducas, Durmas, Lepoint and Lyubashevsky found in "Lattice Signatures and Bimodal Gaussians." <ref>{{Cite journal|title = Lattice Signatures and Bimodal Gaussians|url = http://eprint.iacr.org/2013/383|date = 2013|first = Léo|last = Ducas|first2 = Alain|last2 = Durmus|first3 = Tancrède|last3 = Lepoint|first4 = Vadim|last4 = Lyubashevsky}}</ref> This approach allows for shorter signatures than the GLP system described above. This savings, however, is at the expense of a provable reduction to a known hard mathematical problem. The security of this Bimodal Gaussian Lattice Signature which has come to be known as BLISS is closely related to a patented signature called [[NTRUSign|NTRUsign]].
* Work by Bai and Galbraith on short signatures documented [https://eprint.iacr.org/2013/838 here].<ref>{{Cite web|title = Cryptology ePrint Archive: Report 2013/838|url = https://eprint.iacr.org/2013/838|website = eprint.iacr.org|access-date = 2016-01-17}}</ref>
* Work by Akleylek, Bindel, Buchmann, Kramer and Marson on security proofs for the signature with fewer security assumptions and documented [https://eprint.iacr.org/2015/755 here].<ref>{{Cite web|title = Cryptology ePrint Archive: Report 2015/755|url = https://eprint.iacr.org/2015/755|website = eprint.iacr.org|access-date = 2016-01-17}}</ref>
 
Another approach to signatures based on lattices over Rings is a variant of the patented NTRU family of lattice based cryptography. The primary example of this approach is a signature known as the Bimodal Lattice Signature Scheme (BLISS). It was developed by Ducas, Durmas, Lepoint and Lyubashevsky and documented in their paper "Lattice Signatures and Bimodal Gaussians."<ref>{{Cite web|title = Cryptology ePrint Archive: Report 2013/383|url = https://eprint.iacr.org/2013/383|website = eprint.iacr.org|access-date = 2016-01-17}}</ref> See [[BLISS signature scheme]]
 
=== References ===
{{Reflist}}
 
==External links==
 
{{ Cryptography navbox | public-key }}
 
[[Category:Post-quantum cryptography]]
=== References ===
[[Category:Lattice-based cryptography]]
<nowiki/><nowiki/>
Retrieved from "https://en.wikipedia.org/wiki/Ring_learning_with_errors_signature"